security: harden mirror workflow and add security documentation (#1)

- Update actions/checkout to v4.2.2 (SHA-pinned)
- Update webfactory/ssh-agent to v0.9.1 (SHA-pinned)
- Add SSH known host verification for MITM protection
- Add concurrency controls to prevent race conditions
- Add job timeout limits (10 minutes)
- Use dynamic github.repository_owner instead of hardcoded org
- Change permissions from read-all to contents: read (more specific)
- Add SECURITY.md with vulnerability reporting guidelines
- Add CODEOWNERS for workflow review requirements
- Add .gitignore for common exclusions
- Add ROADMAP.md with project phases and security checklist

Co-authored-by: Claude <noreply@anthropic.com>

Author: hyperpolymath

.github/CODEOWNERS

@@ -0,0 +1,11 @@
+# CODEOWNERS - Defines code ownership for review requirements
+# See: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# Default owners for everything in the repo
+* @hyperpolymath
+
+# Workflow files require maintainer review (security-critical)
+/.github/workflows/ @hyperpolymath
+
+# Security policy requires maintainer review
+/SECURITY.md @hyperpolymath

.github/workflows/mirror.yml

@@ -6,53 +6,93 @@ on:
     branches: [main, master]
   workflow_dispatch:
 
-permissions: read-all
+# Prevent concurrent mirror operations to avoid race conditions
+concurrency:
+  group: mirror-${{ github.ref }}
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+
+env:
+  # SSH known hosts for security - prevents MITM attacks
+  # These are the official SSH host keys for each platform
+  GITLAB_HOST_KEY: "gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf"
+  CODEBERG_HOST_KEY: "codeberg.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIVIC02vnjFyL+I4RHfvIGNtOgJMe769VTF1VR4EB3ZB"
+  BITBUCKET_HOST_KEY: "bitbucket.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIazEu89wgQZ4bqs3d63QSMzYVa0MuJ2e2gKTKqu+UUO"
 
 jobs:
   mirror-gitlab:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     if: vars.GITLAB_MIRROR_ENABLED == 'true'
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      - name: Add GitLab to known hosts
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ env.GITLAB_HOST_KEY }}" >> ~/.ssh/known_hosts
+          chmod 600 ~/.ssh/known_hosts
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-      - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # v0.9.0
+
+      - uses: webfactory/ssh-agent@a6f90b1f127823b31d4d4a8d96047790581349bd # v0.9.1
         with:
           ssh-private-key: ${{ secrets.GITLAB_SSH_KEY }}
+
       - name: Mirror to GitLab
         run: |
-          git remote add gitlab git@gitlab.com:hyperpolymath/${GITHUB_REPOSITORY#*/}.git || true
+          git remote add gitlab "git@gitlab.com:${{ github.repository_owner }}/${GITHUB_REPOSITORY#*/}.git" || true
           git push gitlab --all --force
           git push gitlab --tags --force
 
   mirror-codeberg:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     if: vars.CODEBERG_MIRROR_ENABLED == 'true'
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      - name: Add Codeberg to known hosts
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ env.CODEBERG_HOST_KEY }}" >> ~/.ssh/known_hosts
+          chmod 600 ~/.ssh/known_hosts
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-      - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # v0.9.0
+
+      - uses: webfactory/ssh-agent@a6f90b1f127823b31d4d4a8d96047790581349bd # v0.9.1
         with:
           ssh-private-key: ${{ secrets.CODEBERG_SSH_KEY }}
+
       - name: Mirror to Codeberg
         run: |
-          git remote add codeberg git@codeberg.org:hyperpolymath/${GITHUB_REPOSITORY#*/}.git || true
+          git remote add codeberg "git@codeberg.org:${{ github.repository_owner }}/${GITHUB_REPOSITORY#*/}.git" || true
           git push codeberg --all --force
           git push codeberg --tags --force
 
   mirror-bitbucket:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     if: vars.BITBUCKET_MIRROR_ENABLED == 'true'
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      - name: Add Bitbucket to known hosts
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ env.BITBUCKET_HOST_KEY }}" >> ~/.ssh/known_hosts
+          chmod 600 ~/.ssh/known_hosts
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-      - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # v0.9.0
+
+      - uses: webfactory/ssh-agent@a6f90b1f127823b31d4d4a8d96047790581349bd # v0.9.1
         with:
           ssh-private-key: ${{ secrets.BITBUCKET_SSH_KEY }}
+
       - name: Mirror to Bitbucket
         run: |
-          git remote add bitbucket git@bitbucket.org:hyperpolymath/${GITHUB_REPOSITORY#*/}.git || true
+          git remote add bitbucket "git@bitbucket.org:${{ github.repository_owner }}/${GITHUB_REPOSITORY#*/}.git" || true
           git push bitbucket --all --force
           git push bitbucket --tags --force

.gitignore

@@ -0,0 +1,28 @@
+# OS generated files
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+ehthumbs.db
+Thumbs.db
+
+# IDE and editor files
+.idea/
+.vscode/
+*.swp
+*.swo
+*~
+
+# Secrets and credentials (never commit these)
+*.pem
+*.key
+.env
+.env.*
+!.env.example
+credentials.json
+secrets.yaml
+
+# Logs
+*.log
+logs/

ROADMAP.md

@@ -0,0 +1,141 @@
+# MAA Framework - Roadmap
+
+## Current Status
+
+The MAA Framework repository is configured as a **hub-and-spoke mirror system** that automatically synchronizes code across multiple Git hosting platforms:
+
+- **GitHub** (hub/primary)
+- **GitLab** (mirror)
+- **Codeberg** (mirror)
+- **Bitbucket** (mirror)
+
+---
+
+## Phase 1: Infrastructure & Security (Completed)
+
+- [x] Hub-and-spoke mirror workflow
+- [x] SHA-pinned GitHub Actions for supply chain security
+- [x] SSH host key verification (MITM protection)
+- [x] Concurrency controls for race condition prevention
+- [x] Job timeouts to prevent resource exhaustion
+- [x] SECURITY.md policy document
+- [x] CODEOWNERS for review requirements
+- [x] Dynamic repository owner (not hardcoded)
+
+---
+
+## Phase 2: Enhanced CI/CD Pipeline
+
+### Workflow Improvements
+- [ ] Add status badges to README
+- [ ] Implement failure notifications (Slack/Discord/Email)
+- [ ] Add workflow status checks before mirroring
+- [ ] Create PR preview environments (if applicable)
+
+### Testing & Quality
+- [ ] Add workflow linting (actionlint)
+- [ ] Implement YAML schema validation
+- [ ] Add Dependabot for action version updates
+- [ ] Set up CodeQL for security scanning
+
+### Documentation
+- [ ] Add README.md with setup instructions
+- [ ] Document mirror configuration process
+- [ ] Create CONTRIBUTING.md guidelines
+- [ ] Add architecture diagrams
+
+---
+
+## Phase 3: Advanced Mirroring Features
+
+### Selective Mirroring
+- [ ] Branch filtering (exclude feature branches from mirrors)
+- [ ] Tag filtering (only release tags)
+- [ ] Path-based exclusions for platform-specific files
+
+### Mirror Health
+- [ ] Add mirror verification step (compare HEADs)
+- [ ] Implement automatic retry with exponential backoff
+- [ ] Create mirror drift detection alerts
+- [ ] Add periodic full-sync workflow (scheduled)
+
+### Platform-Specific Features
+- [ ] GitLab CI/CD configuration mirroring
+- [ ] Codeberg-specific integrations
+- [ ] Bitbucket Pipelines compatibility
+
+---
+
+## Phase 4: Governance & Compliance
+
+### Access Control
+- [ ] Branch protection rules
+- [ ] Required reviews for workflow changes
+- [ ] Signed commits enforcement
+- [ ] Deploy key rotation schedule
+
+### Audit & Compliance
+- [ ] Mirror operation audit logs
+- [ ] Secret rotation reminders
+- [ ] Compliance documentation (GDPR, etc.)
+- [ ] License compliance checking
+
+### Disaster Recovery
+- [ ] Backup verification procedures
+- [ ] Mirror promotion playbook (if GitHub unavailable)
+- [ ] Recovery time objectives (RTO) documentation
+
+---
+
+## Phase 5: Framework Development
+
+*Pending project direction - the following are suggested based on "MAA Framework" naming:*
+
+### Core Framework
+- [ ] Define framework purpose and scope
+- [ ] Establish coding standards
+- [ ] Create project structure
+- [ ] Set up dependency management
+
+### Developer Experience
+- [ ] Local development setup
+- [ ] Testing framework
+- [ ] Code formatting/linting
+- [ ] Pre-commit hooks
+
+---
+
+## Security Checklist
+
+| Item | Status | Notes |
+|------|--------|-------|
+| SHA-pinned actions | Done | v4.2.2 checkout, v0.9.1 ssh-agent |
+| SSH host verification | Done | ed25519 keys for all platforms |
+| Minimal permissions | Done | contents: read only |
+| Secret management | Done | GitHub encrypted secrets |
+| Concurrency control | Done | Prevents parallel runs |
+| Job timeouts | Done | 10 minutes per job |
+| CODEOWNERS | Done | Maintainer review required |
+| Security policy | Done | SECURITY.md |
+| Dependabot | Pending | Phase 2 |
+| CodeQL scanning | Pending | Phase 2 |
+| Signed commits | Pending | Phase 4 |
+
+---
+
+## Version History
+
+| Date | Version | Changes |
+|------|---------|---------|
+| 2025-12-17 | 0.1.0 | Initial mirror workflow |
+| 2025-12-17 | 0.2.0 | Security hardening, SECURITY.md, CODEOWNERS |
+
+---
+
+## Contributing
+
+See [CONTRIBUTING.md](CONTRIBUTING.md) (to be created) for guidelines on contributing to this project.
+
+## License
+
+AGPL-3.0-or-later

SECURITY.md

@@ -0,0 +1,54 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| main    | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project, please report it responsibly:
+
+1. **Do NOT** create a public GitHub issue for security vulnerabilities
+2. Send a private report to the repository maintainers via GitHub's private vulnerability reporting feature
+3. Include as much detail as possible:
+   - Description of the vulnerability
+   - Steps to reproduce
+   - Potential impact
+   - Suggested fix (if any)
+
+## Security Measures
+
+This repository implements the following security practices:
+
+### GitHub Actions Security
+
+- **SHA-pinned actions**: All GitHub Actions are pinned to specific commit SHAs to prevent supply chain attacks
+- **Minimal permissions**: Workflows use the least privilege principle with `contents: read` permission
+- **SSH host key verification**: Known hosts are verified to prevent MITM attacks during mirroring
+- **Concurrency controls**: Prevents race conditions during parallel workflow runs
+- **Timeout limits**: All jobs have timeout limits to prevent resource exhaustion
+
+### Secret Management
+
+- SSH keys for mirror targets are stored as GitHub encrypted secrets
+- Mirror operations are conditionally enabled via repository variables
+- No secrets are logged or exposed in workflow outputs
+
+### Force Push Warning
+
+This repository uses `--force` push for mirroring operations. This is intentional for maintaining exact mirrors but means:
+- History on mirror targets will be overwritten
+- Tags on mirror targets will be force-updated
+- Only trusted maintainers should have push access to the main branch
+
+## Dependency Updates
+
+This project monitors for security updates in:
+- GitHub Actions (checkout, ssh-agent)
+- SSH host keys for mirror targets
+
+## Contact
+
+For security concerns, use GitHub's private security advisory feature or contact the repository maintainers directly.